Forum Discussion
Kevin_48708
Nimbostratus
NimbostratusCan SAN certificates be used for Device certificates?
Hello
I'm attemting to apply 3rd party signed certificates as device certificates on a GTM and LTM deployment.
I have created a trust chain by concatenating the Root and Intermediate CA certificates and then importing this file into both the Trusted Server Certificates and Trusted Device Certificates stores. This appears to have been successful as the two certificates can be viewed in the GUI. I have also set the certificate depth for the gtmd and big3d daemons to 2. I have run bigip_add between the devices I'm attemting to establish communications between.
I then imported a SAN certificate as the Device Certificate.
When running iqdump I get the following output:
[root@xxx:Standby] config iqdump 192.168.13.38
32206:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1054:SSL alert number 43
---
Certificate chain
0 s:
i:/DC=mdc/DC=ppmanagement/CN=ALBxxx
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
1 s:/DC=mdc/DC=ppmanagement/CN=ALBxxx
i:/CN=PP Root CA
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
2 s:/CN=PP Root CA
i:/CN=PP Root CA
-----BEGIN CERTIFICATE-----
***Deleted***
-----END CERTIFICATE-----
---
Server certificate
subject=
issuer=/DC=mdc/DC=ppmanagement/CN=ALBxxx
---
Acceptable client certificate CA names
/CN=PP Root CA
/DC=mdc/DC=ppmanagement/CN=ALBxxx
---
SSL handshake has read 4219 bytes and written 4363 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: ***Deleted***
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1320834615
Timeout : 7200 (sec)
I get the following output when I attempt to verify the Device Certificate using the Trusted Device Certificate:
[root@xxx:Standby] config openssl verify -purpose sslclient -CAfile /config/big3d/client.crt /config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.crt/server.crt:
error 26 at 0 depth lookup:unsupported certificate purpose
OK
[root@xxx:Standby] config
The output seems to point to the fact that the Device Certificate is not supported. I just wondered if anyone had come accross this iss and been able to resolve it?
i.e. Has anyone implemented SAN certificates as Device Certificates?
Best Regards
Kevin
I have reviewed the following documents in my attempts to resolve the issue:
http://support.f5.com/kb/en-us/prod...r=17581566
http://support.f5.com/kb/en-us/solu...r=17581554
http://support.f5.com/kb/en-us/solu...l8195.html
http://devcentral.f5.com/Community/...fault.aspx
Kevin_48708Dear All
SAN certificates can be used for device certificates.
There are a few requirements that must be met.
1. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Device certificates, for use by the big3d daemon.
2. The certificate chain for the root and any intermediate CA certificates must be loaded into the Trusted Server Certificates, for use by the gtmd daemon.
3. The certificate chain for the root and any intermediate CA certificates needs to be saved into /config/httpd/ssl.crt/ for use by the httpd.
4. The httpd daemon then needs to be informed where to find the CA certificate chain.
Create CA chain
If your certs are in .pem format then you can simply cut and paste them into a single file. I'm not sure if the order matters but I put the root CA cert at the top of the file and my intermediate CA below it. If you are familiar with the unix cli command cat you can do this from the command line on the bigip.
Big3d
From the GUI System >>> Device Certificates >>> Trusted Device Certificates >>> Import.
At this stage I appended the certificate chain to the existing trusted certificates. You also have the option to replace beware this deletes all the existing trusted device certificates.
Gtmd
From the GUI Global Traffic >>> Servers >>> Trusted Server Certificates >>> Import. the same options to append or replace as with the Big3d process above.
Httpd
Use WinSCP or FileZilla etc to upload the CA certificate chain to /config/httpd/ssl.crt/
From tmsh you need to instruct httpd to reference the CA certificate chain:
) modify sys httpd ssl-certchainfile /config/httpd/ssl.crt/your_ca_cert_chain.crt
Not sure about bigpipe but it's something like:
[root@xxx:Active] / b httpd sslcertchainfile /config/httpd/conf/ssl.crt/your_ca_cert_chain.crt
Repeat this process on other GTMs and LTMs (excluding the gtmd part). restart big3d, gtmd and httpd. Check you results using iqdump.
Best Regards
Kevin- Kevin_48708Of the documentation I highlighted above the most useful was:
http://support.f5.com/kb/en-us/prod...r=17581566 
hooleylistCirrostratus
Thanks for the detailed info on this.
Aaron
Fabien_V__28825HiHow did you solve this problem ?
I have followed all documentation, included the documentation provided in this topic, but I still avoir iqsh communication errors between GTM and LTM ...
From the GTM :
iqdump 10.0.20.253
8096:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1054:SSL alert number 43
---
[...]
---
SSL handshake has read 1901 bytes and written 2061 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: ....
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1323953942
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
But GTM still cannot communicate with LTM.
openssl verify -purpose sslserver -CAfile /config/httpd/conf/ssl.crt/ca_coreye.crt /config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.crt/server.crt: OK
Thanks in advance for your help ;)
- Fabien_V__28825And when I dump the traffic, I saw that the LTM is closing the connection with an Alert : Level: Fatal, Description : unsupported certificate.)
Is GTM need a client certificate to communicate with LTM ? And if it's the case, where I can put it (in webgui or through SSH) ?
- Fabien_V__28825More and more test without understanding why SSL does not work for iqsh !
openssl s_client -connect 10.0.20.253:4353 -showcerts -state -nbio
CONNECTED(00000003)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
write R BLOCK
SSL_connect:error in SSLv2/v3 read server hello A
read:errno=104
But why ? the certificate sent by the server is the same as for httpd, and my browser is getting no warnings when I connect through HTTPS :/ - Fabien_V__28825I have finally found, the certificate needs Client and Server extension .... that's pretty abnormal but it works !
- Maurice_G_
Employee
Fabien, Can you clarify what your last post means....files need Client and Server need extension? 
iaineNacreous
I had this problem too and I think what Fabien means is that the usage of the cert has to be both for client AND server. I was signing servers from our AD CA using the webserver template which only sets the usage to be for servers. This didn't work when using them on GTM\LTM's - to get this to work I had to use a template that allows for server and client usage. iQuery works fine now.